Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Submit AYON_SERVER_URL to jobs #42

Merged
merged 26 commits into from
Oct 30, 2024
Merged

Submit AYON_SERVER_URL to jobs #42

merged 26 commits into from
Oct 30, 2024

Conversation

BigRoy
Copy link
Contributor

@BigRoy BigRoy commented Oct 7, 2024
edited
Loading

Changelog Description

Submit AYON_SERVER_URL with the Deadline Job.

To avoid submitting along the user's API key or exposing the service user API key in AYON settings we only submit along the AYON_SERVER_URL however we now have an extra setting on the Deadline repository for the AYON Server URL submitted with the jobs to supply their API keys.

Additional info

image

image

Fixes #27

⚠️ This requires updating the GlobalJobPreLoad and the AYON plug-in on Deadline Repository

Documentation with use case description ynput/ayon-documentation#285

Testing notes:

  1. Enable the plug-in in settings: ayon+settings://deadline/publish/CollectAYONServerToFarmJob/enabled

image

  1. Configure additional server URL if you have a custom server URL (other than defined in defaults in AYON settings)
  2. Submitting deadline jobs will submit along AYON_SERVER_URL if plug-in is enabled.
  3. The GlobalJobPreLoad plug-in will resolve the API key for a custom server URL submitted along as defined in its plugin settings.

@BigRoy BigRoy added the type: enhancement Improvement of existing functionality or minor addition label Oct 7, 2024
@BigRoy BigRoy self-assigned this Oct 7, 2024
@BigRoy
Copy link
Contributor Author

BigRoy commented Oct 7, 2024

Tagging @tweak-wtf who might be interested in this.

@BigRoy BigRoy marked this pull request as ready for review October 7, 2024 17:29
kalisp
kalisp reviewed Oct 8, 2024
View reviewed changes
client/ayon_deadline/plugins/publish/global/collect_deadline_job_env_vars.py Outdated
Comment on lines 69 to 78


class CollectAYONServerUrlToFarmJob(CollectDeadlineJobEnvVars):
label = "Submit AYON server URL to farm job"

# TODO: Expose the enabled/optional state to settings
ENV_KEYS = [
"AYON_SERVER_URL",
"AYON_USE_DEV",
]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want send AYON_SERVER_URL always? If thats the case, server url in AYON Deadline plugin doesn't make sense, neither code for it in GlobalJobPreload.

(Just note, API keys for all DL servers would need to be same as they would be still set via AYON DL plugin.)

@kalisp
Copy link
Member

kalisp commented Oct 8, 2024

Env var is being passed, but Settings for that collector should be added to make it optional.

@kalisp kalisp mentioned this pull request Oct 9, 2024
Merged
@kalisp
Copy link
Member

kalisp commented Oct 9, 2024

Is Submit AYON server URL to farm job proper label as it seems it could push AYON_API_KEY also. I am guessing it we need to push different AYON_API_KEY value, it should be set in global environment variables in ayon+settings://core/environments?

image
(I was thinking about usage during writing small documentation ynput/ayon-documentation#285 )

@BigRoy
Copy link
Contributor Author

BigRoy commented Oct 9, 2024
edited
Loading

Is Submit AYON server URL to farm job proper label as it seems it could push AYON_API_KEY also. I am guessing it we need to push different AYON_API_KEY value, it should be set in global environment variables in ayon+settings://core/environments?

Agree. What if we generalize this further, and make the settings like a dict where one can specify any amount of keys? The default settings could have AYON_API_KEY and AYON_SERVER_URL defined, but the plugin just disabled. That way it is as easy as just enabling it by default?

However, it wouldn't really clarify why you'd want to pass that.

Ideas @antirotor @m-u-r-p-h-y @iLLiCiTiT - better naming? different approach?
This documentation PR ynput/ayon-documentation#285 explains what this PR is trying to do.

iLLiCiTiT
iLLiCiTiT reviewed Oct 10, 2024
View reviewed changes
server/settings/publish_plugins.py Outdated
@@ -380,6 +390,11 @@ class PublishPluginsModel(BaseSettingsModel):
"primary_pool": "",
"secondary_pool": ""
},
"CollectAYONServerUrlToFarmJob": {
Copy link
Member

@iLLiCiTiT iLLiCiTiT Oct 10, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't be better to have settings for CollectDeadlineJobEnvVars with enum Pass AYON server url to job and options Always, User choice, Never instead of new plugin?

I mean, we have publish plugin attribute definitions, but working with them as we would still use pyblish pype...

kalisp
kalisp approved these changes Oct 10, 2024
View reviewed changes
Copy link
Member

@kalisp kalisp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested, worked.

My objection is to Submit AYON server URL to farm job, but otherwise fine.

@BigRoy
The applying of AYON_USE_DEV should already be solved on the farm t…
65d82a1 
…hrough the other env vars like the chosen bundle and default variant settings
@BigRoy
Set AYON API key from settings
08fa08f
@BigRoy
Merge branch 'enhancement/submit_ayon_server_url' of https://github.c…
4b21b44 
…om/BigRoy/ayon-deadline into enhancement/submit_ayon_server_url

# Conflicts:
#	client/ayon_deadline/plugins/publish/global/collect_deadline_job_env_vars.py
@BigRoy
Cosmetics
47d8512
@BigRoy
Copy link
Contributor Author

BigRoy commented Oct 10, 2024

@kalisp @iLLiCiTiT can you check the code and functionality again?

image
image
image

With API key set:
image
image

MustafaJafar
MustafaJafar reviewed Oct 16, 2024
View reviewed changes
Copy link
Contributor

@MustafaJafar MustafaJafar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I didn't go through all of the comments.
Anyways, This PR works and AYON_API_KEY is not propagated to the publish job when the collector is enabled.

@BigRoy
Merge branch 'develop' into enhancement/submit_ayon_server_url
741209c
@BigRoy
Move the passing of the AYON_API_KEY to Deadline Repository AYON Plug…
9c6ab87 
…-in settings. This way we're not exposing the API key in the AYON settings that any admin is capable of seeing but leave it up to the Deadline admin to configure.
@BigRoy BigRoy marked this pull request as ready for review October 19, 2024 13:02
@BigRoy BigRoy requested a review from iLLiCiTiT October 19, 2024 13:02
@BigRoy
Copy link
Contributor Author

BigRoy commented Oct 19, 2024

@kalisp @iLLiCiTiT I've implemented the implementation that @iLLiCiTiT proposed in the call we had about this PR. Now the AYON_API_KEY is to be configured is not configured in the AYON Settings on the server nor is it submitted along with the job. Instead only the server URL is submitted along but the API key is then resolved on the GlobalJobPreLoad by having server URLs configured on the deadline repository AYON plug-in settings. The PR description is also updated.

I personally like it less. It feels overly complicated. And only after I implemented this I figured this would also have problems if say two developers on one network are connecting to their servers using e.g. localhost as server URL, submit to the farm (to run only on their machine, because it's their dev job for example) then it still couldn't resolve the relevant API key unless both users use the same service user API key. Again, an edge case. My biggest concern is the 'somewhat more' complexity involved.

Anyway, please review and comment so we can decide to continue this way, or revert to the previous logic of this PR or do it even differently.

@tweak-wtf feel free to let you know your thoughts too.

@tweak-wtf
Copy link

if i understood correctly we'd now define additional AYON servers and their corresponding API keys in the AYON Deadline Plugin with this syntax <AYON_URL>:<AYON_PORT>@<AYON_API_KEY> alongside the default AYON Credentials settings resembling the main AYON server.
so we're giving the API key as a string to the Deadline Plugin as opposed to passing them around in dictionaries from a publish process. wouldn't that also expose the API KEy which we're trying to prevent?

However, this sounds fine to me really. I understand the security concerns that passing API keys in cleartext is badbadnotgood.

just a question... would it be possible/feasible to e.g. reference a secret name present in the main ayon instance instead for the actual API key? so something like dev.awesome.ayon.app@ayon-instance-dev-key-1?
imho this could make it even more secure since the keys are stored as secrets on the main instance and would only be retrieved from GlobalJobPreLoad if a job was submitted from one of the defined extra servers.

btw. from my side this is not urgent at all. i just think it'd be a great addition for devs to further isolate a prod env from a sandbox and could ease some pain in transitional phases from one ayon instance to another

@BigRoy
Copy link
Contributor Author

BigRoy commented Oct 21, 2024

so we're giving the API key as a string to the Deadline Plugin as opposed to passing them around in dictionaries from a publish process. wouldn't that also expose the API KEy which we're trying to prevent?

It does - but only to what's supposedly the admin/super-user on Deadline.

would it be possible/feasible to e.g. reference a secret name present in the main ayon instance instead for the actual API key?

I'd say no - because you'd first need to connect to the instance ;) using... an API key.

@tweak-wtf
Copy link

got ya. then it really feels fine to me.

@BigRoy
Copy link
Contributor Author

BigRoy commented Oct 23, 2024

@iLLiCiTiT should this also get bump minor label?

@iLLiCiTiT
Copy link
Member

@iLLiCiTiT should this also get bump minor label?

Yes please.

MustafaJafar
MustafaJafar approved these changes Oct 23, 2024
View reviewed changes
Copy link
Contributor

@MustafaJafar MustafaJafar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is cool, it works on my side.
I love the new idea of having Multiline AYON servers field.
I was too lazy to run an additional AYON instance so I've just removed the AYON server URL and used the new field solely. which makes me question the existence of the old setting. But anyways, this works!.
image

@kalisp
Copy link
Member

kalisp commented Oct 29, 2024

I added additional casting to list as I was suffering with:
image

@kalisp kalisp merged commit a04203a into ynput:develop Oct 30, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iLLiCiTiT iLLiCiTiT iLLiCiTiT approved these changes

@MustafaJafar MustafaJafar MustafaJafar approved these changes

@kalisp kalisp kalisp approved these changes

@tweak-wtf tweak-wtf Awaiting requested review from tweak-wtf

Assignees

@BigRoy BigRoy

Labels
bump minor type: enhancement Improvement of existing functionality or minor addition
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AY-6587_Deadline: use two or more Ayon servers in one DL repo
5 participants
@BigRoy @kalisp @iLLiCiTiT @tweak-wtf @MustafaJafar